Despite FCC "Scare Tactics," Researcher Demos AT&T Eavesdropping

Researcher Chris Paget pulled off a stunt at the Defcon security conference Saturday that required as much legal maneuvering as technical wizardry: eavesdropping on the cell phone calls of AT&T subscribers in front of thousands of admiring hackers.

With about $1,500 worth of hardware and open source software, Paget turned two on-stage antennas into a setup capable of spoofing the base stations that connect the GSM cell phone signals used by AT&T and T-Mobile. Paget set his hardware to impersonate an AT&T signal, and dozens of phones in the room connected to his fake base station. “As far as your cell phones are concerned, I’m now indistinguishable from AT&T,” he told the crowd.

Paget invited anyone with an AT&T phone to make a call, and using his GSM hijacking trick, routed their calls through a voice-over-Internet system that connected their calls even while recording the audio to a USB stick–which he promptly destroyed with a pair of scissors to make sure he hadn’t violated any privacy laws. The hack, after all, was intended to show the fundamental insecurity of GSM cell signals–not spy on callers.

Even minutes before his demonstration, it wasn’t clear whether Paget would go through with his cell-snooping act. He says he received a call from the Federal Communication Commission (FCC) on Friday morning, warning him about a long list of potential federal regulations that he might be violating with the demo.

“It wasn’t a particularly productive conversation,” he said in a meeting with reporters before his talk. “It seemed more like scare tactics to me.”

Requests for comment from the FCC and the GSM Association, which represents companies that use the GSM protocol, weren’t immediately returned, though we’ll update this post when we hear from them.

Paget’s demo sidestepped the FCC’s legal hurdles with a clever loophole. Creating your own GSM cell tower isn’t generally legal. But Paget used a GSM radio spectrum that’s reserved for HAM radio in the United States but GSM phones in Europe; Since Paget is licensed as a HAM radio operator, he’s ostensibly protected from charges of running an unlicensed base station. “I’m operating as a licensed HAM radio transmitter, but your handset thinks I’m a European cell tower,” he said.

Paget’s fake base station trick is one that law enforcement and intelligence agencies have been using for years. But Paget says his $1,500 method is the least expensive and most accessible version of the hack ever performed. “This is a thousand times cheaper than anything that’s done this before,” he says.

Though Paget’s hack can only intercept the 2G GSM protocol, his equipment first sends out a “jamming” signal of radio noise to block 3G connections, forcing phones to automatically search for a 2G signal and connecting with his hardware instead.

For now, his method can only intercept outgoing calls, and displays the wrong caller ID on the phone of the call’s recipient. But neither of those problems applies to the more expensive versions of the interception technology, and could be fixed in his cheaper attack with more time, he says.

The highly-public hack is intended to show that GSM is a fundamentally insecure system, and should be dumped altogether in favor of 3G protocols. “GSM is broken,” says Paget. “The primary solution is to turn it off altogether.”

In practical terms, that would T-Mobile and AT&T phones shouldn’t be set to search for 2G signals when a 3G connection isn’t available. While BlackBerry phones have an option to only use 3G signals, iPhones and Android handsets don’t, Paget says.

Paget says he’s warned the GSM Association–the industry organization that oversees the standard–about his hack, but his concerns have been dismissed. “The GSMA says GSM is secure,” he says. “The only defense I can put forth is to demonstrate that it isn’t.”

Update: The GSM Association responded in a statement that lists the limitations to Paget’s method: the eavesdropper would have difficulties identifying or targeting any specific user, the interception only works within a certain range, in some cases, the call’s encryption could prevent eavesdropping, and GSM phones are designed to alert users when encryption is removed by a base station. (Paget said in his talk that no device he’s tested–including iPhone and Android phones–has had this option enabled.)

In summary, the GSM Association spokeswoman writes, “The overall advice for GSM calls and fixed line calls is the same. Neither has ever offered a guarantee of secure communications. The great majority of users will make calls with no reason to fear that anyone might be listening. However users with especially high security requirements should consider adding extra, end to end security features over the top of both their fixed line calls and their mobile calls.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.